Opendistro_security.nodes_dn configuration error


I’m currently getting the error:

[2019-06-17T12:13:54,589][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [watcher_varmint] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with 
a non-node certificate (no OID or opendistro_security.nodes_dn incorrect configured) or that someone 
is spoofing requests. Check your TLS certificate setup as described in documentation]

my nodes_dn config on both nodes is:

  - ",OU=MC,O=My Company,L=Seattle,C=US"
  - ",OU=MC,O=My Company,L=Seattle,C=US"

*names have been changed to protect the innocent.

I’ve tried the config with no quotes, single quotes, double quotes and continue to get the error. The certs are issued by commodo and I can verify the cert chains and ssl keys every which way. I use them as SSL certs for a web server with no issue, but I can not get my nodes to talk.

Any ideas would be much appreciated.

I had the same problem, and ended up having just the CN=<hostname(s)> statement in nodes_dn. Not the optimal solution, but it works. They all need to be signed and you need the correct root CA.

@leifyt when you view your certificate, does it include the below:

X509v3 Extended Key Usage: critical
                TLS Web Server Authentication

Subject: C=US, L=Seattle, O=My Company, OU=MC,


X509v3 Subject Alternative Name: 
                Registered ID: